Weekly Executive Summary for Week Ending June 17, 2016

By Joseph Lorenz on June 17, 2016

Targeted Industries

  • Software
  • Information Technology
  • Retail
  • Telecommunications
  • Bar and Restaurant

Active Threats

  • Anonymous
  • Ghost Squad
  • ScarCruft
  • APT28 Pawn Storm – Tsar Team
  • Inj3ct0r Team

Major Events

  • Enterprises Warned About Risky Connected Third-Party Apps
  • Verizon Patches Serious Email Flaw That Left Millions Exposed
  • 51 Million iMesh Accounts Available on Black Market
  • Let’s Encrypt Accidently Spills 7,600 User Emails

Conclusions

According to CloudLock a cloud security company, more than 25% of apps used in enterprises are risky and one of the most problematic are connected cloud applications. CloudLock analyzed 150,000 unique apps and 10 million users, this revealed that the use of third-party apps increased 30 times over the past two years. This security company warns organizations that they should not neglect “shadow IT”(a term used to describe applications and systems used by employees without approval from IT security teams). OAth is an example of an authentication protocol that can cause serious risks for an organization, it allows users to approve applications without sharing their password. This causes extensive problems when OAuth-connected applications have access to corporate data, and employees are utilizing these apps daily without notifying their IT departments. Of the 156,000 third-party apps that have been granted access to corporate systems this year, at least 27% are classified as “high risk”.   

Source: Enterprises Warned About Risky Connected Third-Party Apps

Randy Westergren a senior software developer at XDA Developers, found a critical flaw in the Verizon.net messaging system which impacts an estimated 7 million Verizon FiOS subsribers. The vulnerability would allow attackers to hack the email settings of customers and forward email to any email account they desired. This type of vulnerability known as the IDOR(Insecure Direct Object References), would allow any user with a valid Verizon account to bypass authorization safeguards and access a system or settings directly. This poses a serious problem because most primary emails are used to reset passwords, and if an attacker set their own email to become the forwarding address they would immediately begin receiving the emails of the victim.

Source: Verizon Patches Serious Email Flaw That Left Millions Exposed

At one time iMesh a Peer to Peer file sharing video and music service was the third-largest in the US, but it’s popularity declined and it was shutdown last month. A  leak was released that contained data of 51 million users and is being put up for sale for 1 bitcoin($718 US dollars) by “peace_of_mind” who is the same seller that was allegedly responsible for the LinkedIn password dump. Passwords were stored using the cryptographic hash function MD5 with salting, which was easily decrypted. The most used passwords amongst them were the all too familiar “123456”, “password”, and “111111” which were in the top ten, this is a good example of why choosing a strong password is critical. Data from each of the leaked records contained an IP address, a country location, and a join date, and according to this data 14 million users were from the US, 3.9 million from Turkey, 3.6 million from the UK, the remainder were mostly from the European Union and the rest of the world. Security experts say that even though a breach is outdated and from obsolete services, users should still be aware of the risk that this leaked information can be used to compromise other accounts(since most users tend to reuse passwords for numerous accounts).

Source: 51 Million iMesh Accounts Available on Black Market, another resource

Certificate authority Let’s Encrypt accidentally released several thousands of its user’s email addresses this weekend in an update email to the subscriber agreement of the CA(Certificate Authority). Anyone who was a subscriber received this email that contained a list of user emails(up to 7,618) in plaintext and some users were able to see more emails than others. Officials with the CA say that they noticed the flaw and were able to prevent 383,000 emails from getting out, which is a fraction of what was actually released.

Source: Let’s Encrypt Accidently Spills 7,600 User Emails

 

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.

Mail us at: uhwocscc@hawaii.edu